Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Abigail Pichel (Technical Communications)




    Who says you can’t teach old malware new tricks? Recently, we reported on how ZBOT had made a comeback of sorts in 2013; this was followed by media reports that it was now spreading via Facebook. Now, we have spotted a new ZBOT variant that can spread on its own.

    This particular ZBOT variant arrives through a malicious PDF file disguised as a sales invoice document. If the user opens this file using Adobe Reader, it triggers an exploit which causes the following pop-up window to appear:


    Figure 1. The error message upon execution of the malicious PDF file

    While this is going on, the malicious ZBOT variant – WORM_ZBOT.GJ – is dropped onto the system and run. It is here that several differences start to appear.

    First of all, WORM_ZBOT.GJ has an autoupdate routine: it can download and run an updated copy of itself. Secondly, however, it can spread onto other systems via removable drives, like USB thumb drives.

    It does thus by searching for removable drives and then creating a hidden folder with a copy of itself inside this folder, and a shortcut pointing to the hidden ZBOT copy.

    Figure 2. WORM_ZBOT.GJ Infection Chain

    Figure 3. Portion of WORM_ZBOT.GJ code creating copy of itself

    This kind of propagation by ZBOT is unusual, to say the least. ZBOT malware is usually distributed by exploit kits and/or malicious attachments. This kind of behavior from ZBOT is not something we’d usually expect to see; it could mean an increase in ZBOT infections moving forward. This unusual behavior, however, is in line with our 2013 predictions, which noted that we believed that older threats would continue to be seen in 2013, although they would have refinements to make them more effective. In the past, some ZBOT variants have used unusual means – like file infectors – to spread as well.

    These threats are some of the newest changes to the crimeware landscape; we earlier documented this particular threat in the paper The Crimeware Evolution. Neither propagating via removable drives nor auto-updating are particularly novel; many malware threats have used these behaviors in the past. Most notably, the Conficker/DOWNAD threat used both of these quite effectively; to this day it is a significant threat. It’s still in the top 10 malware in the Americas and Carribean in 2012, despite it being several years old.

    We protect Trend Micro users by detecting WORM_ZBOT.GJ, as well as as blocking websites related to this threat. We will provide additional information if necessary to protect our users.

    With analysis from Threat Response Engineers Joie Salvio and Alvin Bacani

     
    Posted in Malware | 1 TrackBack »



    When it comes to cybercriminal targets, it truly is a popularity contest. Multiple sites were found compromised, including those popular with Japanese users. There were 40 compromised domains identified using feedback provided by Trend Micro Deep Discovery; since yesterday almost 60,000 hits have been recorded on these sites.

    One of the compromised sites contains an obfuscated JavaScript (detected as JS_BLACOLE.SMTT) designed to load a hidden iframe that loads behind the user’s browser.


    Figure 1. Encrypted JavaScript inserted onto compromised site


    Figure 2. Decrypted JavaScript that could lead users to malicious sites

    Figure 1 shows the obfuscated JavaScript, or JS_BLACOLE.SMTT, that’s on the compromised site. Figure 2 shows the decrypted JavaScript, which leads users to more malicious sites.

    The hidden iframe loads a .PHP file (detected as JS_BLACOLE.MT) that checks which software are installed in the user’s computer. After checking, it then loads the appropriate exploits. These lead to the download of malicious PDF files, which exploit an old vulnerability (CVE-2010-0188) in Adobe Reader and Acrobat. Other software applications targeted for exploits include Java and Flash. This behavior indicates that the attacker used the Blackhole Exploit Kit in these attacks.

    Users should remember that cybercriminals are catching up with the digital landscape. They will take advantage of any online activity—no matter how mundane—to gain more victims. They are also not selective; one of  the (compromised) sites caters to both students and businesses.

    End users should ensure that their installed software is patched, as this can prevent attacks that use old exploits – like this one – from succeeding. Site owners should exercise similar precautions with their installed server software – particularly content management systems – and ensure that their own passwords are sufficiently random and difficult to guess by attackers. Inputs should be sanitized as well, to prevent SQL injection attacks.

    Trend Micro provides protection by blocking related malicious sites and detecting the malware.

    With additional inputs from Threat Researcher Rhena Inocencio and Threats Analyst Yoshikawa Takashi.

    Update as of June 5, 2:15 AM PDT

    The malicious PDF files noted earlier in this post are detected as TROJ_PIDIEF.MT. The files downloaded by this malware are saved with legitimate filenames. however they are non-executable and non-malicious files despite their .EXE extension. However, the files could easily be replaced by malware; it is possible that this attack was still being tested when it was released into the wild.

     
    Posted in Exploits, Malware | Comments Off



    With the amount of media coverage surrounding this year’s papal conclave and inauguration, it’s hardly a surprise that cybercriminals have taken advantage of this event to victimize users. We recently spotted spam that use newly-elected Pope Francis as the subject.

    These email messages use the new pope and controversies surrounding the Catholic Church to pique the recipients’ curiosity. To convince users of the legitimacy of the emails, these cite CNN as the alleged source. A screenshot of an email can be seen below:

    Figure 1. Sample spam entry

    It should be noted that while the topic is supposedly about Pope Francis, the email below calls the new pope Benedict, which is actually the name used by his predecessor.

    Figure 2. Spam entry with wrong headline

    The embedded links lead users to sites which have been compromised by Blackhole Exploit Kits (BHEK). Blackhole Exploit Kits have been used to deliver a wide variety of malware incuding:

    • Infostealers
    • Backdoors
    • Remote Access Trojans (RATs)
    • Rootkits

    We detect and block all related spammed messages and all associated URLs.

    As for the related malware, we found out that the final payload (detected as TROJ_PIDIEF.SMXY) exploits CVE-2009-0927, a dated vulnerability in Adobe Reader and Acrobat, to perform its routines. Thus, users must ensure that their systems are up-to-date with the latest software update.

    Read the rest of this entry »

     
    Posted in Bad Sites, Exploits, Malware, Spam | Comments Off



    Mobile malware continues to grow not only in number but in sophistication. We recently spotted botnet malware running on over a million infected smartphones. And while Android users are the main targets, Apple users could soon find themselves victims with reports of pirated apps finding their way on iOS devices. With these recent developments, our prediction of 1 million malicious detections by the end of 2013 hardly seems far-fetched.

    But should users be concerned about malware only? No, they should also be concerned about their data. Given some of the activities done on smartphones involve a lot of information—email, gaming, and social networking—protecting data on mobile devices should be a priority.

    While data stealing malware is a threat to privacy, legitimate apps can also put user data at risk. But these aren’t the only ways that information can go public. Common user behavior such as connecting to public WiFi networks and playing games on social media sites can allow others to view online activities. Browsing histories can be collected to send targeted ads to users. Even online profiles can become a risk, if users post too many details.

    Read the rest of this entry »

     
    Posted in Mobile | Comments Off



    The way we are held accountable for ourselves in public gatherings such as events and celebrations are very much similar to how we should be when it comes to our online presence in social networks. The number of participants, the level or engagement, and the variety of activities done are just some of the ways that make both settings similar. And a good example to show this similarity is an event that had just recently began: Oktoberfest.

    Much like the web, Oktoberfest is a very chaotic but fun place. First held in 1810, Oktoberfest continues to attract visitors by the millions. In fact, 6.9 million visitors went to Oktoberfest last year, consuming 7.5 million liters of beer.

    And though enjoyment is the goal for most in both settings, it is also important to keep in mind that they are also prone to incidents such as loss of items and theft. In real life, this may translate to precautions such as keeping valuables in a safe place, but on the web it is a little more complicated. In social networks, users are strongly advised to manage their privacy settings and keep the visibility of their personal information to a minimum, so as to avoid unauthorized access and the possibility of information theft.

    For additional tips on making the most out of your Oktoberfest experience, read our infographic, “Off to Oktoberfest!

     
    Posted in Social | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice