A few days ago, we reported about a phishing email that is supposedly a Microsoft Outlook notification, telling users to reconfigure their program by clicking on the link provided. Instead of an update, however, the user is redirected to a phishing Web site, where s/he is asked for his/her account information, including incoming and outgoing mail server.

Apparently, this attack was successful as Trend Micro has recently detected a new spam message that uses the same technique:

Figure 1: Spam sample #1

Instead of a malicious link, this message carries a .ZIP file named micr__outlook_update_6556.zip, the contents of which are detected as as TROJ_BRANVINE.D.

The said Trojan connects to dubious Web sites to further download malicious files detected as TROJ_FAKEAV.BGC and TROJ_AGENT.AUBW.

To protect ourselves from such attacks, let’s exercise our best judgement and be careful of opening email attachments, even if they are from individuals or organizations we are likely to trust. An innocent-looking message can very well be a wolf in sheep’s clothing.

Early last week we alerted a government agency about one of the pages in their site that appears to have been injected with malicious frames. The San Bernardino County site’s probation page was, during that time, carrying a frame that directs users to a known disease vector under the domain videosdivx(dot)net. The target URL bear the strings “KATRINA+HALILI+NUDE” which suggests that videos or pictures of the Filipino actress may be viewed from the URL. Halili is currently involved in a much talked about sex video scandal proliferating in the Philippines.

While the site is now clean, Threat Analyst Joseph Pacamarra found another attack capitalizing on the same sex video scandal, this time using the Ask George website, the state-wide information portal of Washington DC in the US. Accessing the said page, which had been injected with a script containing the words “katrina+halili+sexy+pic,” redirects to a site under a certain hot-unlikely-tube(dot)com domain.

Clicking on the black screen, the user is informed that s/he needs to download a codec to be able to watch the video. But instead of a codec, the user downloads malware: TROJ_DLOAD.TID and its payload, TROJ_COGNAC.J.

TROJ_COGNAC.J is saved as b.exe. It modifies the system registry to make sure it runs at every startup. It assists TROJ_DLOAD.TID in downloading files named qwerce.gif and a.exe from different URLs. As of this writing, the .gif file is non-malicious, and the URL that downloads a.exe is not accessible. While this means little danger for current victims of these attacks, the actual contents of the URLs may actually change any time to exhibit more dangerous side-effects.

The affected pages from the said site appear to have been modified last May 30, early morning US time. (Updated June 2, 22:40 PM PST: We have verified that the affected site is now clean as of this writing. Website administrators are advised to conduct penetration testing for their sites especially for high-traffic and high-interactivity ones.)

As many as 13,000 Twitter users have been affected by a new “worm-like” phishing attack that feeds on some members’ desire to gain more followers. The said scam dupes users into forking over their account names and passwords using a Web site called “Twittercut.”

Twitter users may see the following tweet in their stream:

When they click on the link, they are redirected to a fraudulent Twitter Web site that asks them for their account name and password. Once the needed login details are entered, the site sends similar messages to all of the affected users’ followers, along with links to a paid dating service.

The messages are said to have started from an account called @twittercut, which had been disabled. But then the tweets continued to come, this time from a new account called @tweetcut. The latter is now also inoperative.

The site operators at TwitterCut denied phishing allegations and announced that they were shutting the site down.

“According to several social network blog sites, TwitterCut has been the bud of several rumors,” they said on a message on their site. “Our website and its programmers can assure you that these rumors are not true and that TwitterCut is simply a Twitter train that was a work in progress!”

Twitter acknowledged the problem with a post on its status page Tuesday night. “We are currently pushing a password reset on accounts we believe may have been caught in a phishing scam,” said the company. “Please exercise your best judgement when thinking about releasing your username and password to third parties.”

Microsoft finally released on Tuesday the patch for the PowerPoint vulnerability that has been exploited by cybercriminals early last month. The said update patches 14 Microsoft PowerPoint vulnerabilities, 11 of which were rated as critical, Microsoft’s highest threat ranking. It provides fixes for some versions of Microsoft Office, including 2000, XP, 2003 and 2007.

However, this batch of patches does not address Office 2004 and 2008 on Macs, which suffer from the same vulnerabilities. According to the Microsoft Security Bulletin MS09-017, the updates for Mac are “still in development.”

This update resolves a publicly disclosed vulnerability and several privately reported vulnerabilities in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file. This vulnerability was exploited to full effect when cybercriminals fashioned PowerPoint files and sent them to unknowing users. These files, when opened, drop a couple of malware (KUPS variants) that perform several suspicious activities including sending a list of the PC’s contents to a certain IP address.

Users are strongly advised to update their system with this latest patch immediately. Moreover, until Microsoft issues a security fix for Mac versions of Office, Mac users are encouraged to exercise caution in opening PowerPoint files that come from doubtful sources, especially spam messages and online downloads. Trend Micro Smart Surfing for Mac blocks IMs and email links that lead to malware that attempt to exploit these vulnerabilities.

Related posts:

• New Exploit Takes on MS PowerPoint
• April 2009 Patch Tuesday Release
• Trend Micro Security Advisory for MS09-017

OfficeScan users with Intrusion Defense Firewall plugin installed are protected from this threat if they have updated to the latest filters (IDF09014).

Days after the Twitter worm outbreak that affected “tens of thousands of users,” the attacks on the popular microblogging site are anything but slowing down. In fact, cyber criminals are taking advantage of the public’s interest and high media coverage of the incident to spread malicious links.

Among the top ten search results in Google for “Twitter worm” and “Mikeyy,” the name of 17-year-old author of the said worm, is a link that connects the user to a malicious URL that download malware into his/her system.

The link in the result connects to a URL detected as HTML_DLOADR.NIC. The said URL is inaccessible as of this writing, but analysis reveals that it loads a JavaScript which is detected as JS_DLOADR.NIB.

JS_DLOADR.NIB connects the user to a URL which further redirects the user into sites that trigger the download of TROJ_DLOADR.NID and TROJ_DLOADR.NIA into the affected system.

TROJ_DLOADR.NID downloads TROJ_FAKEAV.RAG and TROJ_AGENT.GDAG, meanwhile TROJ_DLOADR.NIA cannot not run properly due to an error in its code. Trend Micro engineers are still verifying if this Trojan has the capability to download other malware. All mentioned URLs and malicious files are blocked and detected respectively, through the Trend Micro Smart Protection Network.

“Mikeyy,” the author of the Twitter worm recently accepted a job at a Web applications development firm. As relieving as this can be, a 17-year-old managing to land himself a job because of a deploying a worm isn’t exactly the best example to other young people like “Mikeyy” in terms of the consequences that entail doing such actions.

Technical information provided by Trend Micro Antivirus Engineer Jasper Manuel.