Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Aljerro Gabon (Anti-spam Research Engineer)

    A few days ago, TrendLabsSM engineers received spam containing salad words (see Figure 1) along with a .ZIP file attachment (see Figure 2). This mixture of random words can be seen in the subject header and in the spam body. This was purposely done by spammers to bypass anti-spam filters that users may already be using. The .ZIP file attachment contains an .RTF file.

    Click for larger view Click for larger view

    Though the .RTF file is not malicious, its contents comprise the actual spam as shown in Figure 3. The .RTF document also displays a link as well as the names of different adult medicine brands (e.g., Viagra, Cialis, Levitra, and others). Clicking the link redirects users to the Canadian pharmacy site shown in Figure 4.

    Click for larger view Click for larger view

    To protect yourself against similar attacks, always pay attention to every detail in email messages you receive. As this example demonstrates, it is sometimes quite easy to distinguish what is real from what is not. All you need to do is to carefully observe.

    Trend Micro™ Smart Protection Network™ already protects product users from this particular threat by preventing the spam from even reaching their inboxes via the email reputation service and by blocking access to the phishing site via the Web reputation service. Non-Trend Micro product users can also stay protected by using free tools like eMail ID, a browser plug-in that helps identify legitimate email messages in inboxes.

    Posted in Spam | TrackBacks (2) »

    Trend Micro researchers found over 200 email samples that spamvertised male sexual enhancement pills. These bore subjects like “Re: Go wild in bedroom,” “Re: Let your lever straight up,” and “Re: Be her concrete-rod satisfier” and contains a URL that points to all-too-familiar Canadian pharmacy websites.

    Click for larger view Click for larger view

    While spammed messages that lead to Canadian pharma sites are not new, there are notable things in this particular spam run. For one, it employed random messages in the email content to avoid spam filters. The spammers also put “Re:” in the subject to make it appear as though it was a reply of sorts. In addition, the FROM and TO fields bear the same email address. It particularly used dictionary form of spam attack where spammers randomly send spammed messages to a generated list of email addresses. Upon further analysis, the domains used were just recently registered.

    As usual, users are advised not to open emails that spamvertise sexual enhancement pills. Trend Micro users are secure from this spam attack with the Smart Protection Network. Non-Trend Micro products users can stay protected from this by using free tools like eMail ID.


    A slightly modified Zbot spam campaign currently making rounds pretend to come from the IT support of various companies. It informs users that a security update in the mailing service caused changes in their mailbox settings. They are instructed to open the ZIP attachment and run the .EXE file, INSTALL.EXE to supposedly apply the changes. Trend Micro detects this as TROJ_FAKEREAN.CF.

    When executed, this Trojan accesses http://{BLOCKED} to download another malicious file detected as TROJ_FAKEREAN.BI.

    Click for larger view Click for larger view

    Spammers usually employed random email address in the FROM and TO field headers but in this case, the actual company domain is used as email addresses in both fields. This is done to make the email message more credible, and convincingly coming internally from the company, thus luring unknowing users into executing the malware.

    This attack is a follow-up on the phishing email we blogged earlier this week. The said email purports as a notification from the company’s “system administrator” to update the user’s system because of a server upgrade. Accordingly, the subdomains are tailor-made to make it more legitimate.

    Users are encouraged not to open suspicious-looking emails even though it supposedly came from a trusted source. It is also advisable that users contact first their IT or tech support in case they received such emails to verify if indeed a security update had occured. Trend Micro protects users from this attack with its Trend Micro Smart Protection Network that blocks and detects the said malicious file.

    Posted in Malware, Spam | 1 TrackBack »

    Michael Jackson has been dead for a week already, but there are still a lot of speculations regarding his death. The spam runs are plenty as well — a Michael Jackson-related spam was seen bearing the subject Who killed Michael Jackson? , coming from a sender named x-files.

    The spam message suggests that the icon was killed, and that information on who murdered him can be seen on the given URL.

    Click for larger view Click for larger view Click for larger view

    Clicking the said link leads to a website, where the user is asked to execute a file, which supposedly contains secret information, in order to find out who killed Michael Jackson.

    But of course, the executable is not at all related to Michael Jackson’s murderer, or to Michael Jackson at all, as the file is really an data-stealer detected by Trend Micro as TROJ_ZBOT.AXY. The Trojan TROJ_ZBOT.AXY connects to a certain URL where it downloads a configuration file containing a list of banking-related websites. Once the user attempts to visit any of the listed sites, a spoofed site is displayed instead of the real one, thus any critical information entered on the spoofed site will be sent to a remote user.

    This threat however, doesn’t stand a chance against the Smart Protection Network as of its all components — spam, URL and file — are already either blocked or detected.


    Click for larger view After spam runs related to UPS, FedEx, and Western Union, another form of invoice spam strikes again!

    We caught a new invoice spam that is purportedly from WorldPay, a division of the Royal Bank of Scotland that specializes in handling secure online payments from all over the world.

    The spammed email message informs users that their transaction with Amazon Inc. has been successfully processed by WorldPay.

    The said email contains a .ZIP file, which holds a malicious file named WorldPay_NR9712.exe. This file is detected by Trend Micro as TSPY_ZBOT.BEO through the Smart Protection Network.

    TSPY_ZBOT.BEO downloads a configuration file from a remote site. This file contains a list of bank-related Web sites, which the spyware monitors in the Internet browser address bars. 

    The URLs listed in the downloaded configuration file may change at any time. As of this writing, the file contains links to the legitimate sites of Bank of America.

    When a user accesses any of the listed URLs, the spyware logs keystrokes to capture data entered in login boxes, including sensitive banking information such as user names and passwords. The gathered information is saved in a file, which is then sent to a remote site through HTTP post.

    Here are previous reports of invoice spam:



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice