Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Alice Decker (Senior Threat Researcher)

    Stealth technique used by malware is considered a core characteristic which has been developed, improved, redesigned, and reused. Michael Tants, Threat Researcher at Regional TrendLabs in Europe, has notified us of a worm that has a unique way of hiding: on infection, WORM_AUTORUN.JFZ writes a copy of itself in every ZIP-compressed file it finds on a system.


    When WORM_AUTORUN.JFZ places a copy of itself in an archive, it uses double extension by adding .GIF and .SCR.

    The .GIF extension is used as its social engineering factor. Curious users who still have their default configurations set in Windows Explorer (where the extension of known file types is hidden) may have an unpleasant experience once they double-click on the purported image file. The .SCR extension, on the other hand, makes it an executable file.

    Writing in data files is not the only way this worm assures its existence on a system. It also makes use of traditional spreading methods like dropping a copy of itself (which is kkk.exe) in tandem with autorun.inf into all available physical, removable, and shared drives.

    We strongly urge you to regularly update your pattern files and scan your systems for malware and grayware. The Trend Micro Smart Protection Network already protects users from this kind of threat.


    These days, German users receive emails announcing that a company called IT-Electronics is looking for professionals in search of extra income.

    Click for larger view Click for larger view

    Here is a rough translation of the email message:

    Dear recipient,

    IT Electronics, the leading Asian firm in the field of information technology, announces again its intention to employ workers in Germany. We give you another chance to work with us and to have extra income.

    We are looking for honest, responsible and industrious people aged 21 to 67 years old for the representation of our company at your region. To optimize our company’s work in Germany and for the improvement of our business development, we need people who can afford 2-3 hours per day. This is an opportunity to work from home and to earn 300-500 € (Euro) per week.

    We invite you to the visit IT-Electronics web site to overview our job vacancy.

    There are no fees and expenses required, we offer a real and honest opportunity to work from home for an extra income.

    The link in the email connects to what seems to be the IT-Electronics website, where the careers tab contains a job offer written in German (the rest of the web page is in English). While this is so far nothing new or unexpected, it turns out that the job description is something very similar to the infamous Nigerian Scam:

    Click for larger view

    The job description translates to the following:

    1. Our client (which might be located in your region) informs us about his desire to enter a supply contract.
    2. We give our customers your contact data and he transfers funds directly to your bank account. You must tell us when the funds are received.
    3. In the same or in the next day, we proceed with the shipment of our production to the customer.
    4. You’ll get instructions, how these funds may be transfered to our bank account.

    We pay you a percentage of each transaction. Typical amount is 5-7% of the funds received in your bank account. You will receive this commission immediately, after the customer’s payment is received by us. We will also cover all cost associated with the money transfer.

    The job aspirant only needs a phone and a bank account, using the phone to arrange money transfer with potential customers of IT-Electronics, and the bank account to facilitate the money transfer to IT-Electronics.

    Analysis reveals that the emails were sent by accounts located in Columbia, Mexico, US, Germany – most probably by botnet-zombies. The IT-Electronics website is hosted in China, which is quite infamous for hosting rogue sites.

    Well in case you’re interested in taking the job, here is one important fact that they didn’t put in the job description: money laundering is illegal.

    Posted in Spam | TrackBacks (7) »


    Last week, the Anti-Malware Testing Standards Organization, or AMTSO, held its second members’ meeting this year that took place in Budapest, Hungary as an extension to the CARO Workshop. AMTSO released new papers at their website, adding to their roster of documents regarding the organization’s principles and guidelines on testing.

    Trend Micro has been constantly and actively present since the meetings began. This month, AMTSO is celebrating its first year anniversary, and as a small treat for our readers, I would like to highlight one of the organization’s motivations.

    Compared to today’s threat landscape, I like to assume that prior to 2005, the antivirus industry has a “relaxed” life. Signatures for malware were meticulously developed and updated on a regular basis while heuristics and generic detections were considered an engine’s technical high point. Antivirus testers are sometimes individuals but more likely companies or global computer magazines, such as PC World, that proof and evaluate programs or suites designed to protect against malware. Their life prior to the “Threat Big-Bang” can also be considered as relatively relaxed. This is because tests are done using one core module: the virus scanner. Evaluation is easy, and it was normally based on the scan results mostly triggered on-demand.

    Cyber evolution and the Internet’s lack of regulations facilitated the “Threat Big-Bang” where, (1) within a span of just four years, the volume of malware has increased to 2,500 percent, (2) the Web has become the most used platform for scams against physical and digital persons, (3) software vendors and the antivirus industry identified the trend and began to redesign and rethink their services to keep the high quality of their provided security.

    Word has it that at the testers’ camp, the evaluation of the protection against cyber threats is still sometimes limited since results are solely delivered by the virus scanner module while other modules are either ignored or misinterpreted.

    Click for larger view
    Trend Micro Office Scan has a total of nine core modules, including the traditional virus scanner.

    Notice that nowadays the top 20 virus scanners have an on-demand detection rate placed between 90 and 99 percent—when five years ago the range began at around 70 percent. However, this is only one module out of the many that assures protection under given circumstances.

    In order to address individual concerns from vendors and testers, these groups have decided to come at the same table and work together in order to support customers instead of confusing them with scientific debates.

    AMTSO is now an established platform where testers and vendors could come together to inform, learn, exchange experiences, deliberate, and agree on best practices regarding testing of whole products, modules or features in a fair way. And sense of unbias has one single common denominator: the protection against fraud on data and identity.

    Happy Birthday, AMTSO!


    In Germany we noticed a new massive wave of “Rechnung” malware spammed mails continue today with a special scam inside.

    The messages received today have diverse subject lines (“Abbuchung”, “Lastschrift”, “Amtsgericht”). The email bodies are also differently written, however have the same meaning – the information that money have been debit directly from the user’s account.

    Email sample for Rechnung

    Figure 1: email sample of spammed message

    The malware comes attached in “” archive as “zertifikat.ssl” (WORM_AUTORUN.PB). Additionally to this the archive includes another file “Rechnung.txt.lnk”. Note that the file has double extensions, unlike zertifikat.ssl. Due to the default Windows Explorer configuration the extensions of known files are kept hidden so that mostly this file Rechnung.txt.lnk is displayed as Rechnung.txt in the archive as after it is extracted on disk.

    Only one statement consistently exists in all email samples we’ve found, and is highlighted below:

    Figure 1: email sample of spammed message

    In the said statement, the initiators point out that the recipient doesn’t have to care the “zertifikat.ssl” file since this is only the certificate for the invoice itself. The criminals try to lure users assuring that the file Rechnung.txt.lnk is the only one that needs to be double checked. Indeed… this is true! A file with the .SSL extension, like the malware file zertifikat.ssl, wouldn’t execute on simple double click, but it would when a .LNK file connecting to it is opened, which in this case is “Rechnung.txt.lnk”.

    Similar to Autorun.inf and .PIF files, LNK files execute automatically the path inside their code:

    Figure 3: Binary code of Rechnung.txt.lnk

    To make sure that the SSL file is properly executed, this particular “Rechnung.txt.lnk” file calls the system’s commandline c:WindowsSystem32cmd.exe to execute the zertifikat.ssl from the current directory. The execution through LNK files is not a special trick. It is one of the usual functionalities and features of Windows operating system, without them our life would be like Internet without Web 2.0.

    When an experienced user try to open the LNK file even with an editor, he will be confused by seeing the contents of the file zertifikat.ssl. Actually to view the original file, the user needs to rename it first by using the command line (cmd.exe).

    Users are advised to stay vigilant. The optical illusions in Windows operating system are considered to be features – not bad at all if they wouldn’t be exploited by criminals.

    Posted in Malware | Comments Off on Certificated Invoices – Exploiting LNK extension

    In the past weeks we have blogged about the scam related to faked bank certificates for Wachovia, Bradesco and Merrill Lynch. All those attacks attempted to play with fear regarding online security, in good combination with the international bank crisis.

    Yesterday we’ve noticed that this kind of spam arrived German mailboxes – and of course in German language.

    German phishing email

    According to Michael Tants, researcher at European Regional TrendLabs, the quality of the German language used is so bad that even somebody who understands a bit of German would think it could not be sent by a bank. The text is so poor that it can be considered a joke.

    Nevertheless, Trend Micro customers are prevented from downloading the file even before the specific pattern signature is updated on Trend Micro products. This is because both URL and file are already identified as potentially malicious.

    Fake certificate blocked as Possible_Virus

    Conducting this farce without any antivirus protection, we figured out that on execution the file DABDigicertx.509.exe downloads some components that after some system changes, finally install a hidden service new_drv.sys. The affected machine is transformed into a zombie.

    new_drv Registry data

    As expected this new driver (a hidden service) intercepts HTTP, HTTPS streams sending the login information to a third-party host. Our analysis concluded that the third party is located in China, although at the same time a different hidden process attempted to connect to somewhere in Oldenburg/Germany.

    Of course where the log files show that data might go to, does not automatically mean that they stay there. However, regardless where the criminals are geographically located, they still do the same things that they always do.

    And don’t forget: for this particular scam there is no way for German customers to get infected. Therefore, we consider this spam as some kind of beta test for the next “bank certificates”. Just stay vigilant!



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice